Offshore Outsourcing will help you to reduce cost and enhance your productivity

Home About Us Services Partners Articles Classifieds Directory Contact Us
   
Offshoring
Outsourcing
BPO
Computers Networks
Internet
Operating Systems
Data Storage
Telecommunications
Programming
Software Engineering
Information Technology
Online Rights - Law
Business
E-Commerce
IT Outsourcing
Business Consulting
Finance & Accounting
Graphic Design
Web Services
Search Engine Optimization
Open Source
Hardware
Security
Others
Games
Home>> Articles>> >>

Flaw trifecta kicks off Month of PHP bugs
Stefan Esser's month of PHP bugs project is off and running with details on three unpatched vulnerabilities that could lead to program crashes and possible code execution attacks.

The first batch of flaws published on the project home page covers two recursion stack overflows and a reference counter overflow. These can lead to remotely triggable crashes, Esser warned.

Exploit code for one of the bugs has also been released.

The first three advisories cover:

* PHP Variable Destructor Deep Recursion Stack Overflow — One of the problems in PHP is that it does not enforce any kind of sanity checks for the depth of nested arrays and because the variable registration is done in a iterative way it will accept any depth until the memory_limit is reached. Unfortunately the destruction of PHP arrays is done in a recursive way and therefore it can crash when the stack limit is exhausted. An attacker can use this fact to let PHP crash in a more or less controlled way. It is trivial to let it crash on script startup or at the end of the request.

* PHP Executor Deep Recursion Stack Overflow — PHP does not protect against deep recursions. Whenever a PHP application goes into a very deep recursion it will crash when it runs out of stack. There are many PHP applications out there that can be forced into a deep recursion. When PHP crashs, many webservers will not log the request parameters, but only the crash and secondly a crash will kill all other threads of a multithreaded webserver.

* PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability — This is a PHP 4 security vulnerability that exploits a problem known for many years among the PHP developers. When a PHP application is run in PHP 4 it can overflow the variable reference counter because it is only 16 bit wide. Whenever this happens it will result in a double destruction of the underlying variable. A local attacker can easily create PHP code that uses such a double destruction to execute arbitrary code within the process executing PHP (e.g. webserver process). This allows bypassing restrictions enforced by disable_functions, open_basedir, SAFE_MODE or to launch direct local root exploits against the target system.

# Title Description PoC/Exploit References
45 PHP ext/filter Email Validation Vulnerability (U) A wrong regular expression in the email validation filter allows injection of a single newline at the end. Not needed CVE-NO-NAME
44 PHP 5.2.0 Memory Manager Signed Comparision Vulnerability Due to a signed integer comparison the request for more than 2 GB of memory will be answered with a minimum size memory block. This results in a myriad of (sometimes remotely) exploitable buffer overflows. Soon CVE-2007-1889
43 PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty An unchecked maxsize parameter to the msg_receive() function can result in an integer overflow during memory allocation that results in an exploitable buffer overflow. Soon CVE-2007-1890
42 PHP 5 php_stream_filter_create() Off By One Vulnerablity The internal wildcard handling for stream filters contains an exploitable off by one overflow vulnerability that can be triggered by accessing a php://filter URL. Soon CVE-NO-NAME
41 PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability Calling sqlite_udf_decode_binary() with a malformed input string can lead to an exploitable buffer overflow. Soon CVE-2007-1887
40 PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability An overlong boundary string passed to imap_mail_compose() will overflow a stack buffer and lead to arbitrary code execution. Soon CVE-NO-NAME
39 PHP str_replace() Memory Allocation Integer Overflow Vulnerability When a single char is replaced by a long string many times in str_replace() this can result in an integer overflow in memory allocation that leads to a buffer overflow vulnerability. Soon CVE-2007-1885
38 PHP printf() Family 64 Bit Casting Vulnerabilities A 64 bit long to int cast results in multiple flaws in PHP's printf() function family that lead to a new class of exploitable vulnerabilities. PHP Application Format String Vulnerabilites. Soon CVE-2007-1884
37 PHP iptcembed() Interruption Information Leak Vulnerability (U) A malicious user space error handler that interrupts iptcembed() can manipulate its parameters which leads to disclosure of arbitrary heap memory. MOPB-37-2007.php CVE-2007-1883
36 PHP session.save_path open_basedir Bypass Vulnerability Due to some magic directory guessing a script can bypass the open_basedir restriction on the session save path. Not needed CVE-NO-NAME
35 PHP 4 zip_entry_read() Integer Overflow Vulnerability The zip_entry_read() function of PHP 4 is vulnerable to an integer overflow in memory allocation that leads to an exploitable bufferoverflow. MOPB-35-2007.php
x.zip		 CVE-NO-NAME
34 PHP mail() Header Injection Through Subject and To Parameters (U) A flaw in handling folded Subject and To headers allows mail header injection through both fields. Not needed CVE-NO-NAME
33 PHP mail() Message ASCIIZ Byte Truncation (U) ASCIIZ character injection into an email message will truncate it. Not needed CVE-NO-NAME
32 PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) The security fix for MOPB-31-2007 introduced a double free vulnerability into PHP 4 that can lead to the execution of arbitrary code. MOPB-32-2007.php CVE-NO-NAME
MOPB-31-2007
31 PHP _SESSION Deserialization Overwrite Vulnerability Deserialization of session data can overwrite _SESSION which can be exploited to execute arbitrary code. MOPB-31-2007.php CVE-NO-NAME
30 PHP _SESSION unset() Vulnerability Unsetting HTTP_SESSION_VARS and _SESSION can lead to arbitrary code execution. MOPB-30-2007.php CVE-NO-NAME
29 PHP 5.2.1 unserialize() Information Leak Vulnerability (U) The new S: datatype in unserialize() does not work at all which leads to disclosure of heap memory content. MOPB-29-2007.php CVE-NO-NAME
28 PHP hash_update_file() Already Freed Resource Access Vulnerability (U) A malicious user stream can trick the hash_update_file() function into accessing an already freed hash resource. This can lead to arbitrary code execution. MOPB-28-2007.php CVE-NO-NAME
27 PHP ext/gd Already Freed Resource Access Vulnerability (U) A malicious error handler can trick the GD extension into accessing an already freed image resource which allows read and write access to arbitrary memory addresses from PHP code. This can lead to arbitrary code execution. MOPB-27-2007.php CVE-NO-NAME
26 PHP mb_parse_str() register_globals Activation Vulnerability (U) When the mb_parse_str() function is interrupted by for example a memory_limit violation this can result in register_globals being (and staying) activated for the Apache child. MOPB-26-2007.php CVE-NO-NAME
HPHP-19-2005
25 PHP header() Space Trimming Buffer Underflow Vulnerability When the header() function is called with an all whitespace string a buffer underflow can be triggered that allows code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC) MOPB-25-2007.php CVE-NO-NAME
MOPB-19-2007
24 PHP array_user_key_compare() Double DTOR Vulnerability (U) When the userspace key comparison function returns its parameters are destructed even if there are references left. Therefore an exploitable double DTOR can be triggered. MOPB-24-2007.php CVE-NO-NAME
23 PHP 5 Rejected Session Identifier Double Free Vulnerability (U) When a session storage module rejects a session id the session code fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free. MOPB-23-2007.php CVE-NO-NAME
MOPB-22-2007
22 PHP session_regenerate_id() Double Free Vulnerability (U) session_regenerate_id() fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free. MOPB-22-2007.php CVE-NO-NAME
21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability (U) The compress.bzip2:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area Not needed CVE-NO-NAME
20 PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability (U) The zip:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area Not needed CVE-NO-NAME
19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability When ext/filter is used in an application to filter user input a buffer underflow can be triggered that allows remote code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC) MOPB-19-2007.php CVE-NO-NAME
18 PHP ext/filter HTML Tag Stripping Bypass Vulnerability When ext/filter is configured to strip characters with low ASCII values it is possible to bypass the HTML tag filter in an easy way. Not needed CVE-NO-NAME
17 PHP ext/filter FDF Post Bypass Vulnerability POST data in the FDF format is not processed at all by ext/filter. When PHP is compiled with FDF support, sitewide enforced filtering will not be performed on it. MOPB-17-2007.php CVE-NO-NAME
16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability The zip:// URL wrapper suffers from a standard stack based buffer overflow that occurs when an overlong URL is parsed and can therefore lead to arbitrary code execution. MOPB-16-2007.php CVE-NO-NAME
15 PHP shmop Functions Resource Verification Vulnerability The shmop functions do not verify that the supplied resource is of the correct type. This allows read and write access to arbitrary memory addresses and allows the execution of arbitrary code. MOPB-15-2007.php
MOPB-15-2007-RSA.php		 CVE-NO-NAME
14 PHP substr_compare() Information Leak Vulnerability (U) An integer overflow in the substr_compare() function allows reading arbitrary heap memory. MOPB-14-2007.php CVE-NO-NAME
13 PHP 4 Ovrimos Extension Multiple Vulnerabilities The Ovrimos extension shipped with PHP 4 considers arguments as direct memory pointers. This allows direct memory access which leads to arbitrary code execution. Not needed CVE-NO-NAME
12 mod_security POST Rules Bypass Vulnerability (U) (B) An ASCIIZ character embedded in application/x-www-form-urlencoded POST data terminates the data in the eyes of mod_security, which results in a trivial way to bypass its rules. Not needed CVE-NO-NAME
11 PHP WDDX Session Deserialization Information Leak Vulnerability Numerical keys in session data in WDDX format might leak an arbitrary portion of stack data into PHP variables. MOPB-11-2007.php CVE-2007-0908
10 PHP php_binary Session Deserialization Information Leak Vulnerability Malformed session data in php_binary format might leak a portion of heap data into PHP variables. MOPB-10-2007.php CVE-NO-NAME
9 PHP wddx_deserialize() String Append Buffer Overflow Vulnerability (U) Malformed WDDX data might trigger an exploitable buffer overflow that was introduced by a pseudo security fix. MOPB-09-2007.php CVE-NO-NAME
8 PHP 4 phpinfo() XSS Vulnerability (Deja-vu) (U) phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability. MOPB-08-2007.phpt HPHP-18-2005
CVE-NO-NAME
7 Zend Platform ini_modifier Local Root Vulnerability (B) The ini_modifier of the Zend Platform can be tricked by a local user to edit the system php.ini file, which can be used to obtain root privileges. Not needed CVE-NO-NAME
6 Zend Platform Insecure File Permission Local Root Vulnerability (B) Several binaries and shellscripts installed by the Zend Platform are installed with unsafe permissions that might allow an attacker to gain root privileges. Not needed CVE-NO-NAME
5 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability Deserialisation of malformed PHP arrays from within unserialize() might result in a tight endless loop exhausting CPU ressources on 64bit systems. Not needed CVE-2007-0988
4 PHP 4 unserialize() ZVAL Reference Counter Overflow During unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition. MOPB-04-2007.php CVE-NO-NAME
MOPB-01-2007
3 PHP Variable Destructor Deep Recursion Stack Overflow (U) The destruction of deeply nested PHP arrays will exhaust all available stack which leads to remotely triggerable crashes. Not needed CVE-NO-NAME
2 PHP Executor Deep Recursion Stack Overflow (U) A deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash. Not needed CVE-2006-1549
1 PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability (U) In PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable. This leads to an exploitable double dtor condition. MOPB-01-2007.php CVE-NO-NAME